Analysis Overview
SHA256
bbf2226c9443f2634fe8a4d38ce483f04e5ac842f4c9ef0fb3fae307e2c22f67
Threat Level: Known bad
The file 2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 20:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 20:45
Reported
2024-08-07 20:48
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rDreWbx.exe | N/A |
| N/A | N/A | C:\Windows\System\KgedotH.exe | N/A |
| N/A | N/A | C:\Windows\System\gkHBXqY.exe | N/A |
| N/A | N/A | C:\Windows\System\DfGexrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OEoWvcW.exe | N/A |
| N/A | N/A | C:\Windows\System\MgaWYvl.exe | N/A |
| N/A | N/A | C:\Windows\System\bZzcaMg.exe | N/A |
| N/A | N/A | C:\Windows\System\UJjNtqb.exe | N/A |
| N/A | N/A | C:\Windows\System\WCaHcGE.exe | N/A |
| N/A | N/A | C:\Windows\System\jagsQZO.exe | N/A |
| N/A | N/A | C:\Windows\System\rZfsyZY.exe | N/A |
| N/A | N/A | C:\Windows\System\enVsYLm.exe | N/A |
| N/A | N/A | C:\Windows\System\uXmRCHH.exe | N/A |
| N/A | N/A | C:\Windows\System\qgcORui.exe | N/A |
| N/A | N/A | C:\Windows\System\LlToKnI.exe | N/A |
| N/A | N/A | C:\Windows\System\xtGiAOO.exe | N/A |
| N/A | N/A | C:\Windows\System\otlDeAF.exe | N/A |
| N/A | N/A | C:\Windows\System\pQamAyj.exe | N/A |
| N/A | N/A | C:\Windows\System\dFiKvqq.exe | N/A |
| N/A | N/A | C:\Windows\System\PcNtlnF.exe | N/A |
| N/A | N/A | C:\Windows\System\oHetrLN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rDreWbx.exe
C:\Windows\System\rDreWbx.exe
C:\Windows\System\KgedotH.exe
C:\Windows\System\KgedotH.exe
C:\Windows\System\gkHBXqY.exe
C:\Windows\System\gkHBXqY.exe
C:\Windows\System\DfGexrZ.exe
C:\Windows\System\DfGexrZ.exe
C:\Windows\System\OEoWvcW.exe
C:\Windows\System\OEoWvcW.exe
C:\Windows\System\MgaWYvl.exe
C:\Windows\System\MgaWYvl.exe
C:\Windows\System\bZzcaMg.exe
C:\Windows\System\bZzcaMg.exe
C:\Windows\System\UJjNtqb.exe
C:\Windows\System\UJjNtqb.exe
C:\Windows\System\WCaHcGE.exe
C:\Windows\System\WCaHcGE.exe
C:\Windows\System\jagsQZO.exe
C:\Windows\System\jagsQZO.exe
C:\Windows\System\rZfsyZY.exe
C:\Windows\System\rZfsyZY.exe
C:\Windows\System\enVsYLm.exe
C:\Windows\System\enVsYLm.exe
C:\Windows\System\uXmRCHH.exe
C:\Windows\System\uXmRCHH.exe
C:\Windows\System\qgcORui.exe
C:\Windows\System\qgcORui.exe
C:\Windows\System\LlToKnI.exe
C:\Windows\System\LlToKnI.exe
C:\Windows\System\xtGiAOO.exe
C:\Windows\System\xtGiAOO.exe
C:\Windows\System\otlDeAF.exe
C:\Windows\System\otlDeAF.exe
C:\Windows\System\pQamAyj.exe
C:\Windows\System\pQamAyj.exe
C:\Windows\System\dFiKvqq.exe
C:\Windows\System\dFiKvqq.exe
C:\Windows\System\PcNtlnF.exe
C:\Windows\System\PcNtlnF.exe
C:\Windows\System\oHetrLN.exe
C:\Windows\System\oHetrLN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3668-0-0x00007FF642180000-0x00007FF6424D1000-memory.dmp
memory/3668-1-0x000001BC7B0E0000-0x000001BC7B0F0000-memory.dmp
C:\Windows\System\rDreWbx.exe
| MD5 | 94f9e8681896040fe052c2b6774b6d39 |
| SHA1 | 9cc638d6a6d0c3549f213bd30faf5ee003d4bd36 |
| SHA256 | bd2f1e4fe0c5d6d85fdfc314a40292dd9563c341a3848ea629a4e0e092dde2fa |
| SHA512 | d7724887638545e2cd83fd201ce943691eb231e8be8cc9676b88bd1b3d1ba137956a245c177a591a018c592ae72b62898567ca1b1fd79e3e7d439179d7fdeadf |
C:\Windows\System\KgedotH.exe
| MD5 | 7dce01c238d782a548ad2a27441e00c0 |
| SHA1 | cc1ed97be0ed9ba95efbe669aedbb28be6f2fe3b |
| SHA256 | 411f3a1828a1e85b8a3d0beacae536c39dc0c86bf927b1467c47548ba0e551f9 |
| SHA512 | 13df6385ebac53f0b2b7a7994cdce41764442a8951fa744ae9e086480242bb4830fb378e317bc135325d65604570950ecade1ce3e5ee47bb2c6116b2aa54fb31 |
C:\Windows\System\gkHBXqY.exe
| MD5 | 7642514366c7b9b7412ab58993a10384 |
| SHA1 | c3a8e3c2404277ae5bd1c631c2280582b7342c25 |
| SHA256 | 8393ec04ae9b390efa2786684d77b53f62e3847b9eec4fa4fbb73e1e9f9740c8 |
| SHA512 | 0f417c35f38d926e457f14630aa90d9ba35055befb75ec1d4f441056073e9a62b909390e2ceb41b9013e6c82424d07a657552df70f7bc7b4ff67873c131894a0 |
C:\Windows\System\DfGexrZ.exe
| MD5 | faded8c1a7231a672e5575fa62e868f1 |
| SHA1 | 5f2df030f7d6864ec0b4641b55cd8fdffcf2e5fa |
| SHA256 | 6b324a815359797bf7d4cee45ce739a89ed8f99df8db70c1e51154d7b5b9471c |
| SHA512 | 01d42e72d57df2e8501445b530212436f013d93638bada2119de33d61eb0a3b34e1b1d84cd0ebb85d7226e26f236d245310b729df70db80780f2efdd29c88782 |
C:\Windows\System\bZzcaMg.exe
| MD5 | 2515ccba41d950f2bfc9d7d98334d44f |
| SHA1 | 2049e40b65d8fe4df7a85b095fcb2fb95bd4be41 |
| SHA256 | 925aa1b31c78e56ffa640b129553be1302cca3f22e9d9e40fab165cd807a94af |
| SHA512 | 350889bdd5843aa931eafdd916001e3fe98fb1e5909f3995da1dc5becb2073c45687318277d101d4fed26232e868ccc83da3766bee1a350d511632fcf6daa9ed |
C:\Windows\System\OEoWvcW.exe
| MD5 | 977cb2b59d316bef11d5b728ea694873 |
| SHA1 | 4e4e0acebae7e871d7cb2757c5ccefee72c748d1 |
| SHA256 | a119df5c0c200e7ca54cfb46bf0977451e18911bd2a3bd1c126164a3df485970 |
| SHA512 | 1db6220fe1be112ed35f18069460d45c5166c81675ec145c1560e6f0594978e7d90e6bd228a71025927ea55c2f6f424121ca0d463e292ce828c3a1dc3c6dab32 |
memory/1680-60-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp
C:\Windows\System\rZfsyZY.exe
| MD5 | 8fd3e2b1a25a35a546f8b9ecd31b75ca |
| SHA1 | 02c2614d5870ebed2adfc4fcfd3686194b4a3bb9 |
| SHA256 | 2e56812e4485bb59f58abfe9c86980247ea9753f53909435a9473d804d2a6873 |
| SHA512 | 39914ff02297f41a687a0c1d8d78696ea20c355e572ab8ceb5dda47fc40f3fa428d73006433740087ca693e4ab4c885b68cb0a14cb67629a2b5ceb90b515c1e0 |
C:\Windows\System\qgcORui.exe
| MD5 | fa62c194fc1d07d1f85210e9400be9da |
| SHA1 | b34a54bca9a3e76cb7df53d32022ac1a88aaebe8 |
| SHA256 | 73817f7f5a8315ae19ac8e0355f09237256a0734b29362d8c6c97b9e31f1fa55 |
| SHA512 | 399f3c2a02acf55aa153fabe95ad7798bd47dcd3bdcf1e8d3a756f5cefca223d5ea07538414073559580661de9b732281fca1b0d2ff3d034c57078f3af2adfcb |
C:\Windows\System\pQamAyj.exe
| MD5 | b9f3fc969e3e90416496cad59e8624fc |
| SHA1 | 30abea7afcd8e43a7010bc4044e4ba4b257b38d6 |
| SHA256 | d7384023dd1f6ea2124b47cc6282af0225b5ab1999a8b65d6a65db68499c3c33 |
| SHA512 | d883b89151c14a294c99bb4e2bc644cfd613fd54297b3e5125c6168eb9964ca1d1714e5c54724c1bc59ac388e56e4ac65ebc3694eb001e6d0650eb33410421aa |
C:\Windows\System\dFiKvqq.exe
| MD5 | d1ffe2edac9ddd9ac34488898964541e |
| SHA1 | 65884b1d1328291602cb4d7720cfbee1ba8ee82b |
| SHA256 | f042e104b933dadaeb3696dd961489a8314ae4ae92cba2dcbebc2a1a17bff17c |
| SHA512 | 737422cf6a85bae93388a41f42f59c207767f2b384ddda30219c05f305e40e970af8b53e6f458623242864e2db7def172e666c04ba48861c1bfc591818483fd5 |
memory/4268-119-0x00007FF730DE0000-0x00007FF731131000-memory.dmp
C:\Windows\System\oHetrLN.exe
| MD5 | ff4d7829df74fee3e31035d0355fdf12 |
| SHA1 | 0890b254165c65d2d0c1e509bd4b8d2f9f7b165f |
| SHA256 | 800d218784ddff13f9f1cb11a96a2fcb33e2dfb4a65dbed8c7fba99f8f205b83 |
| SHA512 | e2d27754fc7639f15852841d8ffad655607c8f77b6bfb02171cf11c71fd56b749f1f41da59a15d76b5cb5d5f03ac37c6aeb2ed561c10f7b21360e3ce9f4f5c69 |
memory/3152-122-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp
memory/4000-121-0x00007FF625BF0000-0x00007FF625F41000-memory.dmp
memory/3452-120-0x00007FF611EA0000-0x00007FF6121F1000-memory.dmp
memory/1640-118-0x00007FF64A3E0000-0x00007FF64A731000-memory.dmp
C:\Windows\System\PcNtlnF.exe
| MD5 | 482f9f4f9818e1b9683bb59949aa9dc8 |
| SHA1 | cdf47c6e7e4ae187bc89fbdca41d0c54ad14b311 |
| SHA256 | d1686f47c4f21f508cb8985d64dabab1bee2f29668d9ff9b7d5c9d0603c5f08b |
| SHA512 | e421e606cb1610d20dc98565cd742a6b5eef4267a184bdcfff4e1a2e124a549d03349f5aee0524df643f8da7cdf5fa798eb7d807ff2423b0037de11206e6da00 |
memory/4168-115-0x00007FF693200000-0x00007FF693551000-memory.dmp
memory/896-112-0x00007FF75E0F0000-0x00007FF75E441000-memory.dmp
memory/1860-111-0x00007FF791DB0000-0x00007FF792101000-memory.dmp
C:\Windows\System\otlDeAF.exe
| MD5 | 13c28dbffac2be4a694f8ff9784af630 |
| SHA1 | 9515187848e5d05ef1222d126cc66e42f74545ee |
| SHA256 | 50b270f75b6c5c5b27267092bf27b8095ad32c306bd730103330652bedb3f626 |
| SHA512 | 1facbaa9d620356463e5d9860e85f5ea614ff192b78e4f9e09ee73cf0dbe6169d9c81f220ab0efbbefdd9f1f5a0bb8288d6132b67a442c96b6c14fc8d4144c1a |
C:\Windows\System\xtGiAOO.exe
| MD5 | 315fcfa3d183de56e8b74cb52db8a9d4 |
| SHA1 | fd7fad7fbedac743fe9793c4b4d68f8dda925b37 |
| SHA256 | 13c672cd700fb3008956586e359220e53630c43129c7d5bd9a2df1e1a8136c19 |
| SHA512 | b32f14b99ee28e5fa2dee89abc72952beb8f07ae63c462bc23cd6fe9321a33db86087579d8de376e5e569bbfbeaf007528eee15aba8f4e9d281bc6d159cb264b |
memory/820-103-0x00007FF6BD970000-0x00007FF6BDCC1000-memory.dmp
memory/2020-97-0x00007FF6F0550000-0x00007FF6F08A1000-memory.dmp
C:\Windows\System\LlToKnI.exe
| MD5 | eebc6935c32c9ab68154b01d080de08d |
| SHA1 | bb5efcec91ffb92fa36fac4527a8773939f4f8cf |
| SHA256 | 814d673bc71d76de619f1509c1be2767b916f567f43e0187441e052ca7ab36d8 |
| SHA512 | b222cf81579513a9396e2fde3a7319646923f03925e11447b25b3799dcce6702cfd09c02e408adabd109f9b5f59b1f4fa588a5d74e4b9fa04be81c414e871e0b |
memory/3112-95-0x00007FF6939E0000-0x00007FF693D31000-memory.dmp
C:\Windows\System\uXmRCHH.exe
| MD5 | 864578222c85c3c81f6914a1a463468b |
| SHA1 | 67a3386d011dcef8b35a3879403497f8c1a0697c |
| SHA256 | 5ac5cd7dcc701bc706280b2f6241ddcb4faf5a50908ddd907df5f07bde36120e |
| SHA512 | e5fd22a5853aada4d47439000e3fd5ddffcc24ef73227db257d05c6cf40e24e8ee2c26bb78dc39693f2a6c19c06f13f770d22dc15cbe9af05a929e5806d08fd2 |
memory/1812-81-0x00007FF634690000-0x00007FF6349E1000-memory.dmp
C:\Windows\System\enVsYLm.exe
| MD5 | 49043d3c192727315d4f7b5c6ad7af14 |
| SHA1 | 245ee0bf7cbccf826c30962ef352f9a9a65c9e32 |
| SHA256 | 58b8831596f632d757b5aee54d74bee689e5f236af06178ed80af53f4c27c32d |
| SHA512 | c87c0d41a7d87165d0d6b6a8b363feb9a29c7efe1ecd6a330ae9c4d5b790f3aeb2e944dad2cf48e50c216d7d775f7c3bd9487e4311452031e8ef3c34fb0842fe |
C:\Windows\System\jagsQZO.exe
| MD5 | 5a076b0d86a9a47c0c9fb019d8630d7c |
| SHA1 | f53faeb59b6e8a8375aef6ca5308def294cecfc9 |
| SHA256 | 935cf05b63ce6716dc5ca8e247cd21fb4c4fcaf0d0bb2abedabfd279177dfff6 |
| SHA512 | b814f7acd833ae345f95192893c493a3fb3371101f81e377aa615a459cda191d899cac3014a0ae9348706b8fbaefe5b2b7fd8d65b4021f6b1dc4ce224e3f2516 |
C:\Windows\System\WCaHcGE.exe
| MD5 | 48a8d57cef6736ef22604d053b72dcbe |
| SHA1 | 16d5355b581018d3e0541abddec69f941b9aa83a |
| SHA256 | 85b3f7c3106f4b0e52349d6c2373610390bbfc1c5b1cdce0b47247e183c30751 |
| SHA512 | c58a697d65f34aef82c394e628553c4cdbb43fa26055a64854b050525ed8a2f99cf16f4093fbaa1929ec2e14545c3f98933c6d4a60e227e61ba8f03075092f06 |
memory/4824-50-0x00007FF664770000-0x00007FF664AC1000-memory.dmp
C:\Windows\System\UJjNtqb.exe
| MD5 | 513242886bdb1e7d990e889b653b08b4 |
| SHA1 | f8cf1496a8bc494bfc91358432693dd00adb2353 |
| SHA256 | 26a3764384240ff809fac45c8f770433aeb1dc3d5476e4dbe382ebc62645d1d7 |
| SHA512 | 62df2ee048276df7362975aeebfca844fbb94e39d31b60eeb99ea63e8b04724760a6a677816e549d9124d8a9b3f469502e64bb9bef24990120f3a5c5fb6f578a |
C:\Windows\System\MgaWYvl.exe
| MD5 | b303228bad6882329fd7c41a51acfc4f |
| SHA1 | 4f97b804678a08ddd490b50dc429e14ef75a7914 |
| SHA256 | b6efeab105c8d8acd68018a5681d14e4641dd44221ce49cd1a14aa4fc64b1c6b |
| SHA512 | d9225978f034db5b0a09afccfe4d02a01295bcecdd19d9d6e31d87f2cd21fbd152714e64255e7a7befbbcffd9081f41ba37ba68d553d7bb3f300392fda2a7ce9 |
memory/2300-42-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp
memory/440-35-0x00007FF714C80000-0x00007FF714FD1000-memory.dmp
memory/2852-34-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp
memory/5076-27-0x00007FF6F0AA0000-0x00007FF6F0DF1000-memory.dmp
memory/2532-26-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp
memory/2148-10-0x00007FF6947A0000-0x00007FF694AF1000-memory.dmp
memory/3888-127-0x00007FF61C640000-0x00007FF61C991000-memory.dmp
memory/2300-134-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp
memory/4824-135-0x00007FF664770000-0x00007FF664AC1000-memory.dmp
memory/2852-133-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp
memory/1680-137-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp
memory/3668-128-0x00007FF642180000-0x00007FF6424D1000-memory.dmp
memory/2532-130-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp
memory/3668-150-0x00007FF642180000-0x00007FF6424D1000-memory.dmp
memory/3668-151-0x00007FF642180000-0x00007FF6424D1000-memory.dmp
memory/2148-208-0x00007FF6947A0000-0x00007FF694AF1000-memory.dmp
memory/2532-210-0x00007FF6A1710000-0x00007FF6A1A61000-memory.dmp
memory/5076-212-0x00007FF6F0AA0000-0x00007FF6F0DF1000-memory.dmp
memory/440-214-0x00007FF714C80000-0x00007FF714FD1000-memory.dmp
memory/2852-216-0x00007FF632AA0000-0x00007FF632DF1000-memory.dmp
memory/2300-218-0x00007FF63DB90000-0x00007FF63DEE1000-memory.dmp
memory/1812-220-0x00007FF634690000-0x00007FF6349E1000-memory.dmp
memory/4824-222-0x00007FF664770000-0x00007FF664AC1000-memory.dmp
memory/1680-224-0x00007FF6FE730000-0x00007FF6FEA81000-memory.dmp
memory/3112-226-0x00007FF6939E0000-0x00007FF693D31000-memory.dmp
memory/4268-228-0x00007FF730DE0000-0x00007FF731131000-memory.dmp
memory/2020-230-0x00007FF6F0550000-0x00007FF6F08A1000-memory.dmp
memory/820-232-0x00007FF6BD970000-0x00007FF6BDCC1000-memory.dmp
memory/1860-234-0x00007FF791DB0000-0x00007FF792101000-memory.dmp
memory/3452-239-0x00007FF611EA0000-0x00007FF6121F1000-memory.dmp
memory/4000-241-0x00007FF625BF0000-0x00007FF625F41000-memory.dmp
memory/896-242-0x00007FF75E0F0000-0x00007FF75E441000-memory.dmp
memory/1640-244-0x00007FF64A3E0000-0x00007FF64A731000-memory.dmp
memory/4168-237-0x00007FF693200000-0x00007FF693551000-memory.dmp
memory/3152-246-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp
memory/3888-248-0x00007FF61C640000-0x00007FF61C991000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 20:45
Reported
2024-08-07 20:48
Platform
win7-20240705-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rDreWbx.exe | N/A |
| N/A | N/A | C:\Windows\System\gkHBXqY.exe | N/A |
| N/A | N/A | C:\Windows\System\KgedotH.exe | N/A |
| N/A | N/A | C:\Windows\System\DfGexrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OEoWvcW.exe | N/A |
| N/A | N/A | C:\Windows\System\MgaWYvl.exe | N/A |
| N/A | N/A | C:\Windows\System\bZzcaMg.exe | N/A |
| N/A | N/A | C:\Windows\System\UJjNtqb.exe | N/A |
| N/A | N/A | C:\Windows\System\WCaHcGE.exe | N/A |
| N/A | N/A | C:\Windows\System\jagsQZO.exe | N/A |
| N/A | N/A | C:\Windows\System\rZfsyZY.exe | N/A |
| N/A | N/A | C:\Windows\System\enVsYLm.exe | N/A |
| N/A | N/A | C:\Windows\System\uXmRCHH.exe | N/A |
| N/A | N/A | C:\Windows\System\qgcORui.exe | N/A |
| N/A | N/A | C:\Windows\System\LlToKnI.exe | N/A |
| N/A | N/A | C:\Windows\System\xtGiAOO.exe | N/A |
| N/A | N/A | C:\Windows\System\otlDeAF.exe | N/A |
| N/A | N/A | C:\Windows\System\pQamAyj.exe | N/A |
| N/A | N/A | C:\Windows\System\dFiKvqq.exe | N/A |
| N/A | N/A | C:\Windows\System\PcNtlnF.exe | N/A |
| N/A | N/A | C:\Windows\System\oHetrLN.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_5fc2120ad990206c8547c85e380f9430_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rDreWbx.exe
C:\Windows\System\rDreWbx.exe
C:\Windows\System\KgedotH.exe
C:\Windows\System\KgedotH.exe
C:\Windows\System\gkHBXqY.exe
C:\Windows\System\gkHBXqY.exe
C:\Windows\System\DfGexrZ.exe
C:\Windows\System\DfGexrZ.exe
C:\Windows\System\OEoWvcW.exe
C:\Windows\System\OEoWvcW.exe
C:\Windows\System\MgaWYvl.exe
C:\Windows\System\MgaWYvl.exe
C:\Windows\System\bZzcaMg.exe
C:\Windows\System\bZzcaMg.exe
C:\Windows\System\UJjNtqb.exe
C:\Windows\System\UJjNtqb.exe
C:\Windows\System\WCaHcGE.exe
C:\Windows\System\WCaHcGE.exe
C:\Windows\System\jagsQZO.exe
C:\Windows\System\jagsQZO.exe
C:\Windows\System\rZfsyZY.exe
C:\Windows\System\rZfsyZY.exe
C:\Windows\System\enVsYLm.exe
C:\Windows\System\enVsYLm.exe
C:\Windows\System\uXmRCHH.exe
C:\Windows\System\uXmRCHH.exe
C:\Windows\System\qgcORui.exe
C:\Windows\System\qgcORui.exe
C:\Windows\System\LlToKnI.exe
C:\Windows\System\LlToKnI.exe
C:\Windows\System\xtGiAOO.exe
C:\Windows\System\xtGiAOO.exe
C:\Windows\System\otlDeAF.exe
C:\Windows\System\otlDeAF.exe
C:\Windows\System\pQamAyj.exe
C:\Windows\System\pQamAyj.exe
C:\Windows\System\dFiKvqq.exe
C:\Windows\System\dFiKvqq.exe
C:\Windows\System\PcNtlnF.exe
C:\Windows\System\PcNtlnF.exe
C:\Windows\System\oHetrLN.exe
C:\Windows\System\oHetrLN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2684-0-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2684-1-0x0000000000090000-0x00000000000A0000-memory.dmp
\Windows\system\rDreWbx.exe
| MD5 | 94f9e8681896040fe052c2b6774b6d39 |
| SHA1 | 9cc638d6a6d0c3549f213bd30faf5ee003d4bd36 |
| SHA256 | bd2f1e4fe0c5d6d85fdfc314a40292dd9563c341a3848ea629a4e0e092dde2fa |
| SHA512 | d7724887638545e2cd83fd201ce943691eb231e8be8cc9676b88bd1b3d1ba137956a245c177a591a018c592ae72b62898567ca1b1fd79e3e7d439179d7fdeadf |
C:\Windows\system\KgedotH.exe
| MD5 | 7dce01c238d782a548ad2a27441e00c0 |
| SHA1 | cc1ed97be0ed9ba95efbe669aedbb28be6f2fe3b |
| SHA256 | 411f3a1828a1e85b8a3d0beacae536c39dc0c86bf927b1467c47548ba0e551f9 |
| SHA512 | 13df6385ebac53f0b2b7a7994cdce41764442a8951fa744ae9e086480242bb4830fb378e317bc135325d65604570950ecade1ce3e5ee47bb2c6116b2aa54fb31 |
\Windows\system\DfGexrZ.exe
| MD5 | faded8c1a7231a672e5575fa62e868f1 |
| SHA1 | 5f2df030f7d6864ec0b4641b55cd8fdffcf2e5fa |
| SHA256 | 6b324a815359797bf7d4cee45ce739a89ed8f99df8db70c1e51154d7b5b9471c |
| SHA512 | 01d42e72d57df2e8501445b530212436f013d93638bada2119de33d61eb0a3b34e1b1d84cd0ebb85d7226e26f236d245310b729df70db80780f2efdd29c88782 |
C:\Windows\system\OEoWvcW.exe
| MD5 | 977cb2b59d316bef11d5b728ea694873 |
| SHA1 | 4e4e0acebae7e871d7cb2757c5ccefee72c748d1 |
| SHA256 | a119df5c0c200e7ca54cfb46bf0977451e18911bd2a3bd1c126164a3df485970 |
| SHA512 | 1db6220fe1be112ed35f18069460d45c5166c81675ec145c1560e6f0594978e7d90e6bd228a71025927ea55c2f6f424121ca0d463e292ce828c3a1dc3c6dab32 |
C:\Windows\system\MgaWYvl.exe
| MD5 | b303228bad6882329fd7c41a51acfc4f |
| SHA1 | 4f97b804678a08ddd490b50dc429e14ef75a7914 |
| SHA256 | b6efeab105c8d8acd68018a5681d14e4641dd44221ce49cd1a14aa4fc64b1c6b |
| SHA512 | d9225978f034db5b0a09afccfe4d02a01295bcecdd19d9d6e31d87f2cd21fbd152714e64255e7a7befbbcffd9081f41ba37ba68d553d7bb3f300392fda2a7ce9 |
\Windows\system\bZzcaMg.exe
| MD5 | 2515ccba41d950f2bfc9d7d98334d44f |
| SHA1 | 2049e40b65d8fe4df7a85b095fcb2fb95bd4be41 |
| SHA256 | 925aa1b31c78e56ffa640b129553be1302cca3f22e9d9e40fab165cd807a94af |
| SHA512 | 350889bdd5843aa931eafdd916001e3fe98fb1e5909f3995da1dc5becb2073c45687318277d101d4fed26232e868ccc83da3766bee1a350d511632fcf6daa9ed |
C:\Windows\system\UJjNtqb.exe
| MD5 | 513242886bdb1e7d990e889b653b08b4 |
| SHA1 | f8cf1496a8bc494bfc91358432693dd00adb2353 |
| SHA256 | 26a3764384240ff809fac45c8f770433aeb1dc3d5476e4dbe382ebc62645d1d7 |
| SHA512 | 62df2ee048276df7362975aeebfca844fbb94e39d31b60eeb99ea63e8b04724760a6a677816e549d9124d8a9b3f469502e64bb9bef24990120f3a5c5fb6f578a |
C:\Windows\system\WCaHcGE.exe
| MD5 | 48a8d57cef6736ef22604d053b72dcbe |
| SHA1 | 16d5355b581018d3e0541abddec69f941b9aa83a |
| SHA256 | 85b3f7c3106f4b0e52349d6c2373610390bbfc1c5b1cdce0b47247e183c30751 |
| SHA512 | c58a697d65f34aef82c394e628553c4cdbb43fa26055a64854b050525ed8a2f99cf16f4093fbaa1929ec2e14545c3f98933c6d4a60e227e61ba8f03075092f06 |
C:\Windows\system\rZfsyZY.exe
| MD5 | 8fd3e2b1a25a35a546f8b9ecd31b75ca |
| SHA1 | 02c2614d5870ebed2adfc4fcfd3686194b4a3bb9 |
| SHA256 | 2e56812e4485bb59f58abfe9c86980247ea9753f53909435a9473d804d2a6873 |
| SHA512 | 39914ff02297f41a687a0c1d8d78696ea20c355e572ab8ceb5dda47fc40f3fa428d73006433740087ca693e4ab4c885b68cb0a14cb67629a2b5ceb90b515c1e0 |
C:\Windows\system\uXmRCHH.exe
| MD5 | 864578222c85c3c81f6914a1a463468b |
| SHA1 | 67a3386d011dcef8b35a3879403497f8c1a0697c |
| SHA256 | 5ac5cd7dcc701bc706280b2f6241ddcb4faf5a50908ddd907df5f07bde36120e |
| SHA512 | e5fd22a5853aada4d47439000e3fd5ddffcc24ef73227db257d05c6cf40e24e8ee2c26bb78dc39693f2a6c19c06f13f770d22dc15cbe9af05a929e5806d08fd2 |
C:\Windows\system\xtGiAOO.exe
| MD5 | 315fcfa3d183de56e8b74cb52db8a9d4 |
| SHA1 | fd7fad7fbedac743fe9793c4b4d68f8dda925b37 |
| SHA256 | 13c672cd700fb3008956586e359220e53630c43129c7d5bd9a2df1e1a8136c19 |
| SHA512 | b32f14b99ee28e5fa2dee89abc72952beb8f07ae63c462bc23cd6fe9321a33db86087579d8de376e5e569bbfbeaf007528eee15aba8f4e9d281bc6d159cb264b |
C:\Windows\system\oHetrLN.exe
| MD5 | ff4d7829df74fee3e31035d0355fdf12 |
| SHA1 | 0890b254165c65d2d0c1e509bd4b8d2f9f7b165f |
| SHA256 | 800d218784ddff13f9f1cb11a96a2fcb33e2dfb4a65dbed8c7fba99f8f205b83 |
| SHA512 | e2d27754fc7639f15852841d8ffad655607c8f77b6bfb02171cf11c71fd56b749f1f41da59a15d76b5cb5d5f03ac37c6aeb2ed561c10f7b21360e3ce9f4f5c69 |
C:\Windows\system\PcNtlnF.exe
| MD5 | 482f9f4f9818e1b9683bb59949aa9dc8 |
| SHA1 | cdf47c6e7e4ae187bc89fbdca41d0c54ad14b311 |
| SHA256 | d1686f47c4f21f508cb8985d64dabab1bee2f29668d9ff9b7d5c9d0603c5f08b |
| SHA512 | e421e606cb1610d20dc98565cd742a6b5eef4267a184bdcfff4e1a2e124a549d03349f5aee0524df643f8da7cdf5fa798eb7d807ff2423b0037de11206e6da00 |
C:\Windows\system\dFiKvqq.exe
| MD5 | d1ffe2edac9ddd9ac34488898964541e |
| SHA1 | 65884b1d1328291602cb4d7720cfbee1ba8ee82b |
| SHA256 | f042e104b933dadaeb3696dd961489a8314ae4ae92cba2dcbebc2a1a17bff17c |
| SHA512 | 737422cf6a85bae93388a41f42f59c207767f2b384ddda30219c05f305e40e970af8b53e6f458623242864e2db7def172e666c04ba48861c1bfc591818483fd5 |
C:\Windows\system\pQamAyj.exe
| MD5 | b9f3fc969e3e90416496cad59e8624fc |
| SHA1 | 30abea7afcd8e43a7010bc4044e4ba4b257b38d6 |
| SHA256 | d7384023dd1f6ea2124b47cc6282af0225b5ab1999a8b65d6a65db68499c3c33 |
| SHA512 | d883b89151c14a294c99bb4e2bc644cfd613fd54297b3e5125c6168eb9964ca1d1714e5c54724c1bc59ac388e56e4ac65ebc3694eb001e6d0650eb33410421aa |
C:\Windows\system\otlDeAF.exe
| MD5 | 13c28dbffac2be4a694f8ff9784af630 |
| SHA1 | 9515187848e5d05ef1222d126cc66e42f74545ee |
| SHA256 | 50b270f75b6c5c5b27267092bf27b8095ad32c306bd730103330652bedb3f626 |
| SHA512 | 1facbaa9d620356463e5d9860e85f5ea614ff192b78e4f9e09ee73cf0dbe6169d9c81f220ab0efbbefdd9f1f5a0bb8288d6132b67a442c96b6c14fc8d4144c1a |
memory/2896-125-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2684-128-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2516-127-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2684-126-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2684-124-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2720-123-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2684-122-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2456-121-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2708-120-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2684-119-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2832-118-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2816-117-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2744-116-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2008-115-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2684-114-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2220-113-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2576-112-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/1196-111-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2684-110-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1184-109-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2148-108-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2684-107-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\LlToKnI.exe
| MD5 | eebc6935c32c9ab68154b01d080de08d |
| SHA1 | bb5efcec91ffb92fa36fac4527a8773939f4f8cf |
| SHA256 | 814d673bc71d76de619f1509c1be2767b916f567f43e0187441e052ca7ab36d8 |
| SHA512 | b222cf81579513a9396e2fde3a7319646923f03925e11447b25b3799dcce6702cfd09c02e408adabd109f9b5f59b1f4fa588a5d74e4b9fa04be81c414e871e0b |
C:\Windows\system\qgcORui.exe
| MD5 | fa62c194fc1d07d1f85210e9400be9da |
| SHA1 | b34a54bca9a3e76cb7df53d32022ac1a88aaebe8 |
| SHA256 | 73817f7f5a8315ae19ac8e0355f09237256a0734b29362d8c6c97b9e31f1fa55 |
| SHA512 | 399f3c2a02acf55aa153fabe95ad7798bd47dcd3bdcf1e8d3a756f5cefca223d5ea07538414073559580661de9b732281fca1b0d2ff3d034c57078f3af2adfcb |
C:\Windows\system\enVsYLm.exe
| MD5 | 49043d3c192727315d4f7b5c6ad7af14 |
| SHA1 | 245ee0bf7cbccf826c30962ef352f9a9a65c9e32 |
| SHA256 | 58b8831596f632d757b5aee54d74bee689e5f236af06178ed80af53f4c27c32d |
| SHA512 | c87c0d41a7d87165d0d6b6a8b363feb9a29c7efe1ecd6a330ae9c4d5b790f3aeb2e944dad2cf48e50c216d7d775f7c3bd9487e4311452031e8ef3c34fb0842fe |
C:\Windows\system\jagsQZO.exe
| MD5 | 5a076b0d86a9a47c0c9fb019d8630d7c |
| SHA1 | f53faeb59b6e8a8375aef6ca5308def294cecfc9 |
| SHA256 | 935cf05b63ce6716dc5ca8e247cd21fb4c4fcaf0d0bb2abedabfd279177dfff6 |
| SHA512 | b814f7acd833ae345f95192893c493a3fb3371101f81e377aa615a459cda191d899cac3014a0ae9348706b8fbaefe5b2b7fd8d65b4021f6b1dc4ce224e3f2516 |
C:\Windows\system\gkHBXqY.exe
| MD5 | 7642514366c7b9b7412ab58993a10384 |
| SHA1 | c3a8e3c2404277ae5bd1c631c2280582b7342c25 |
| SHA256 | 8393ec04ae9b390efa2786684d77b53f62e3847b9eec4fa4fbb73e1e9f9740c8 |
| SHA512 | 0f417c35f38d926e457f14630aa90d9ba35055befb75ec1d4f441056073e9a62b909390e2ceb41b9013e6c82424d07a657552df70f7bc7b4ff67873c131894a0 |
memory/2768-145-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2684-129-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2160-149-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2072-150-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2676-148-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2612-147-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2796-146-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2972-144-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2684-151-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2684-173-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2516-212-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2720-224-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2708-222-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2816-220-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2576-216-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2008-218-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2148-215-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/1184-230-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2744-236-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2896-242-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2832-240-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2456-238-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2220-234-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/1196-232-0x000000013FC90000-0x000000013FFE1000-memory.dmp